Seamless Sigma Integration with Velociraptor for Your Open-Source SIEM

5 min readApr 13, 2025

Introduction

Open-source cybersecurity practitioners often struggle to incorporate Sigma detection rules into their existing Security Information and Event Management (SIEM) tools — think Wazuh, Graylog, or similar stacks. Typical solutions range from manual configuration to complex Python conversions, which often fall short.

In this post, we’ll explore Velociraptor, an endpoint monitoring and digital forensic tool that has native Sigma support. You’ll learn how to integrate Sigma seamlessly, schedule automated scans, exclude noisy detections, and push alerts to Copilot (or any other incident management platform).

Let’s jump right in!

1. Why Sigma + Velociraptor?

Sigma is a generic framework for creating log-based detection rules. It offers a huge library of community-driven rules for a variety of platforms. The challenge is typically converting those rules for each specific SIEM. Velociraptor addresses this by running Sigma queries directly at the endpoint, only sending the relevant (matched) events to your SIEM or incident management tool. This approach significantly reduces log storage requirements and streamlines detection.

2. Setting Up Sigma with Velociraptor

1. Download the Sigma Artifact Pack

Velociraptor provides an official Sigma Artifact Pack that you can upload to your Velociraptor server.
Head to the Velociraptor repository or the official docs to find the zip file containing all Sigma-related artifacts and configuration.

2. Upload Artifacts to Velociraptor

Within Velociraptor’s web interface, go to View Artifacts → Upload Artifact Pack.
Select the zip file you downloaded. Velociraptor will import the necessary definitions.

3. Import the Curated Sigma Rules

Once the pack is uploaded, search for the artifact named Server.ImportCuratedSigma (or something similar, depending on the version).
Click New Collection → Configure the parameters to select which rule sets you want to import (e.g., Hayabusa rules).
Launch the collection. This step fetches and stores the latest Sigma rules on your Velociraptor server.

Running a Standalone Scan

To confirm that your Sigma rules are working correctly, choose an endpoint in Velociraptor and run a standalone scan. Select “Windows.Hayabusa.Rules” (or whichever set you imported) under New Collection. Adjust the log directory path, pick which severity levels to monitor (critical, high, medium, etc.), and optionally add rule exclusions to silence known noisy detections.

Launch the scan. Velociraptor will read local event logs on the endpoint, apply your selected Sigma rules, and show you real-time matches. You’ll see the rule name, severity level, and related event details. This confirms everything is configured properly.

Excluding Noisy Events

Some rules inevitably generate alerts you would prefer to suppress. Velociraptor allows you to add regex-based exclusions in the scan parameters. By referencing the rule name, ID, or relevant metadata, you can easily filter out repetitive alerts that don’t warrant attention. This helps you focus on high-value detections and keeps your dashboard clean.

Automating Sigma Analysis

Manual scans are fine for testing, but real security operations demand continuous monitoring. Velociraptor offers a “Client Monitoring” feature that schedules automated Sigma checks on each endpoint.

Navigate to “Client Events” and update the client monitoring table. Pick the Windows.Hayabusa.Monitoring artifact (or equivalent) and configure the same settings as your standalone test (severity, exclusions, etc.). Specify a scan frequency (for example, every 60 seconds or every 5 minutes). Velociraptor will handle the rest, reviewing new event logs at each interval, running the rules, and sending any matches to the server.

Forwarding Alerts to CoPilot (Incident Management)

Once Velociraptor is automatically detecting suspicious events, you can integrate with a case management or incident response platform like Copilot. Create an artifact in Velociraptor (for example, “CoPilot.Events.Upload”) that makes a POST request to your CoPilot server.

name: CoPilot.Events.Upload


description: |
  This server monitoring artifact will watch a selection of client or
  server monitoring artifacts for new events and push those to a
  user-defined HTTP endpoint.

  NOTE: You must ensure you are collecting these artifacts from the
  clients by adding them to the "Client Events" GUI, or for server
  artifacts, the "Server Events" GUI.

type: SERVER_EVENT

parameters:
  - name: HTTPEndpoint
    description: The URL where collected events will be sent
    default: http://copilot:5000/api/incidents/alerts/create/velo-sigma

  - name: VELOCIRAPTOR_API_HEADER_VALUE
    description: The header used when invoking the CoPilot endpoint
    default: ab73de7a-6f61-4dde-87cd-3af5175a7281
    
  - name: WazuhIndexPattern
    description: The Wazuh Index pattern that will be searched on.
    default: wazuh-*

  - name: ClientArtifactsToWatch
    type: artifactset
    artifact_type: CLIENT_EVENT
    default: |
      Artifact
      Windows.Hayabusa.Monitoring

  - name: ServerArtifactsToWatch
    type: artifactset
    artifact_type: SERVER_EVENT
    default: |
      Artifact
      Server.Audit.Logs

  - name: DisableSSLSecurity
    type: bool
    description: Disable SSL certificate verification
    default: false

sources:
  - query: |
      LET artifacts_to_watch = SELECT *
      FROM chain(
        a={ SELECT Artifact FROM ClientArtifactsToWatch },
        b={ SELECT Artifact FROM ServerArtifactsToWatch }
      )
      WHERE NOT Artifact =~ "CoPilot.Events.Upload"
        AND log(message="Uploading artifact " + Artifact + " to CoPilot")

      LET s = scope()

      LET events = SELECT *
      FROM foreach(
        row=artifacts_to_watch,
        async=TRUE,
        query={
          SELECT *,
                 "Artifact_" + Artifact AS _index,
                 Artifact,
                 client_info(client_id=(s.ClientId || "server")).os_info.hostname AS Hostname,
                 timestamp(epoch=now()) AS timestamp
          FROM watch_monitoring(artifact=Artifact)
        }
      )

      SELECT *
      FROM foreach(
        row=events,
        query={
          SELECT *
          FROM http_client(
            data=serialize(item=dict(
                computer=format(format="%v", args=[Computer]), clientID=format(format="%v", args=[ClientId]), channel=format(format="%v", args=[Channel]), title=format(format="%v", args=[Title]), level=format(format="%v", args=[Level]), event=format(format="%v", args=[_Event]), type="sigma-alert", source="velociraptor", index_pattern=WazuhIndexPattern, sourceRef=format(format="%v", args=[rand(range=1000000000)])), format="json"),
            headers=dict(`Content-Type`="application/json", `velociraptor`=VELOCIRAPTOR_API_HEADER_VALUE),
            disable_ssl_security=DisableSSLSecurity,
            method="POST",
            url=HTTPEndpoint
          )
        }
      )

In the Velociraptor “Server Events” or “Server Monitoring Table” section, configure the new Copilot artifact by supplying your Copilot server address and any required headers or API tokens. Specify which artifact sets you want monitored (like Windows.Hayabusa.Monitoring). Whenever Velociraptor encounters a new Sigma detection, it makes a POST request to Copilot.

In Copilot, these alerts appear in the incident management console, complete with Sigma rule names, timestamps, and severities. If you have Wazuh or another SIEM feeding logs into Copilot, you can correlate data for richer context. This centralizes your alert handling, letting you address incidents from one dashboard.

Key Benefits of Endpoint-Driven Sigma

Running Sigma logic on the endpoint means you only push matched alerts into your SIEM, rather than sending mountains of raw logs. This method reduces storage overhead, speeds up threat detection, and simplifies data ingestion pipelines. You also gain immediate flexibility. If a new rule or a new variant emerges, you can quickly update Velociraptor’s Sigma pack and push changes to endpoints without rewriting your entire SIEM detection layer.

Troubleshooting and Best Practices

Always confirm your event log paths in Velociraptor match real-world folder structures on each endpoint. Use rule exclusions to mute known false positives. If you see performance concerns, adjust scan frequency or limit the scope to critical or high-severity rules first. For broader coverage later, you can reintroduce medium or low-severity rules incrementally.

Stay current with your Sigma rules by regularly fetching updates from community repositories. You can also build custom rules to handle organization-specific threats. Testing new or experimental Sigma rules in a lab or dev environment ensures your production pipeline remains stable.

Conclusion

Velociraptor’s native Sigma integration is a game-changer for teams relying on open-source security tools. By processing detections locally and forwarding only relevant alerts, you save on storage and complexity. Coupled with an incident management tool like Copilot, you now have a complete detection-to-response workflow.

Embrace this approach if you need a more powerful and cost-effective way to manage your open-source SIEM environment. By eliminating the guesswork of manual Sigma conversions and focusing on actual threat detections, your team can respond quickly and effectively to real security incidents.

Need Help?

The functionality discussed in this post, and so much more, are available via the SOCFortress platform. Let SOCFortress help you and your team keep your infrastructure secure.

Website: https://www.socfortress.co/